web: add tenant and project scoped, JWT-protected actions

A user with the right JSON Web Token (JWT) can trigger a autohold, reenqueue or dequeue a buildset from the web API. The Token is expected to include a key called "zuul.admin" that contains a list of the tenants the user is allowed to perform these actions on. The Token must be passed as a bearer token in an Authorization header. The Token is validated thanks to authenticator declarations in Zuul's configuration file. Change-Id: Ief9088812f44368f14234ddfa25ba872526b8735
author: Matthieu Huin <mhuin@redhat.com> 2019-06-21 12:38:19 +0200
committer: Matthieu Huin <mhuin@redhat.com> 2019-07-10 12:11:14 +0200
commit: 6a7235fb506480dd2df7d712f441a5dd663c0da7 (patch)
tree: 547016261af9758286a33cba550fcb47de6bb494 /etc
parent: 86f071464dafd584c995790dce30e2e3ca98f5ac (diff)
download: zuul-6a7235fb506480dd2df7d712f441a5dd663c0da7.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/etc/zuul.conf-sample b/etc/zuul.conf-sample
index de9cf0047..9479ef480 100644
--- a/etc/zuul.conf-sample
+++ b/etc/zuul.conf-sample
@@ -40,6 +40,15 @@ port=9000
 static_cache_expiry=0
 status_url=https://zuul.example.com/status
 
+[auth zuul_operator]
+driver=HS256
+allow_authz_override=true
+realm=zuul.example.com
+default=true
+client_id=zuul.example.com
+issuer_id=zuul_operator
+secret=NoDanaOnlyZuul
+
 [connection gerrit]
 driver=gerrit
 server=review.example.com
author	Matthieu Huin <mhuin@redhat.com>	2019-06-21 12:38:19 +0200
committer	Matthieu Huin <mhuin@redhat.com>	2019-07-10 12:11:14 +0200
commit	6a7235fb506480dd2df7d712f441a5dd663c0da7 (patch)
tree	547016261af9758286a33cba550fcb47de6bb494 /etc
parent	86f071464dafd584c995790dce30e2e3ca98f5ac (diff)
download	zuul-6a7235fb506480dd2df7d712f441a5dd663c0da7.tar.gz